WHAT. THE. F***?

Who even thinks of this stuff? Well besides wicked smaht people like Borepatch, that is? Apparently other cyber security people, who are not only worried about today’s hacking, but hacking in the future.

BLACK HAT USA 2011 — Las Vegas — A security researcher at Black Hat yesterday demonstrated how a hacker could remotely turn off a diabetic person’s insulin pump without his knowledge. The findings came after months of research delving into the security of the portable medical devices that monitor diabetics’ blood-sugar levels and those that deliver the body-chemistry-balancing insulin necessary to keep those levels in check throughout the day.

If this guy can hack into a continuous glucometer and insulin pump, there is likely nothing to stop other people from hacking into implanted defibrillators, pacemakers, or Left Ventricular Assist Devices (LVAD). Implanted defibrillators and pacemakers can be accessed externally to read and adjust the devices. They can be disrupted by microwaves and screening machines at airport, so they are not totally shielded.

Imagine a world leader with an implanted defibrillator. Imagine that someone wants to kill him. Imagine that someone builds a device that can cause the defibrillator to go haywire. Imagine that the device looks like, oh, say a iPhone, Droid, or other smart phone. Gives “there’s an app for that” a whole new meaning.

When one of my readers writes and sells that novel, I only want small royalties.

If something like that happens in real life, “You didn’t hear it from me.”

I can’t take the credit since I got the link from somewhere else. Maybe I should start reading that site, but it will probably give me nightmares. I’m afraid I’ll find out that someone can hack into my GPS.

This has been known for a while, but it’s just now getting ‘outed’… Sadly I DO believe we will start seeing instances of this, probably by young hackers that have NO respect for life, since everything they play with has a reset button…

For implantable defibrillators and pacemakers, devices must have a strong magnet in close proximity to the device to initiate communication (at least where I work). If a device had the radio circuitry scanning continuously for signals, the battery would be depleted rapidly and the device would have to be replaced in less than a year. A magnetic sensor is a low power way for the device to determine that someone needs to communicate with it – the device then powers up the higher power radio communication circuitry. The magnet also adds a physical step for added security to avoid accidental or malicious activation. Just don’t get too close to grandma with your stereo speaker.

Even newer devices with long range telemetry still must be “woken up” with a programmer & magnet to start longer range communication that can be continued without a magnet.

“Imagine a world leader with an implanted defibrillator.” When Mr. Cheney got his ICD, this was researched extensively and claims of vulnerability to hacking were quickly disproven. Properly installed security sensors also don’t impact them – the White House is full of them.

@Wana, a quick Google search for “TEMPEST” and “Pringles Can Antenna” will make for interesting reading.

I’m sure that the specs are as you say. I’m also confident that the people who wrote the specs didn’t for a second contemplate this scenario. Security wasn’t an afterthought. It wasn’t thought of at all.

I guess I should be happy. If the guys who wrote the specs actually thought about security, guys like me would be looking for jobs. Currently, business is pretty good.

My opinion only. I have no actual experience with these particular devices. I do, however, have the pelts of a bunch of developers who said very similar things, hanging on my trophy wall. But that’s classified.

As I said, you’re not reassuring me. In fact, you’re scaring me. Next you’ll be telling me someone can hack into my GPS and steer me off a cliff! Seriously, anything that connects to anything wirelessly can be hacked pretty easily. Wired stuff, not connected to the internet, is probably a bit tougher.

In Boston recently a company started a rent a bike business. The bikes are locked in racks on various streets in Boston. You can rent them for 30 minutes or more by going to the ATM looking device, swiping a credit card and punching in a few numbers. They can be returned to any of the other rental stations in the city. I was kidding with someone that if someone had a stolen credit card they’d be able to steal a bunch of bikes, repaint them, drive them to Springfield or New Bedford, and sell them as throwaway getaway bikes to the gang bangers. Then it occurred to me that they might be connected to the Internet wirelessly. In which case I’m guessing that it wouldn’t be too tough hack into the controller and unlock the entire rack. I wonder how long before some kid from MIT, Wentworth, or Northeastern comes to the same conclusion?

Trackbacks

[…] couple of weeks ago in What The F***? I wrote about the threat of potential hackers attacking insulin pumps, implanted defibrillators, […]

All About Me

After a long career as a field EMS provider, I'm now doing all that back office stuff I used to laugh at. Life is full of ironies, isn't it?
I still live in the Northeast corner of the United States, although I hope to change that to another part of the country more in tune with my values and beliefs.
I still write about EMS, but I'm adding more and more non EMS subject matter.
Thanks for visiting. Read More…